Using the HTML Editor in ASP.NET C#

Were you looking for an AJAX tutorial or how to Learn AJAX and use the AJAX control kit HTML Editor Control?

In This Tutorial we are going to provide you with a brief but detailed overview of the HTML Editor that is packaged along with the AJAX Control Toolkit. The HTML Editor is filled with plethora of options for changing font size , Selecting a font changing background colors adding links, changing the foreground, adding images text alignment and performing copy & paste functions.

First Things first let’s start by adding a ScriptManager control to the page, before we can even begin using the HTML Editor Tool Kit. The ScriptManager Control is found under the AJAX extensions Tab in Visual Studio Web Developer 2010.

After Adding the ScriptManager to the page, we will want to Add HTML Editor Control, in this case it is called Editor Control in the Toolkit.

Simply after dragging over the HTML editor over to the page, you can then set the properties in the properties toolbox. It is normal to set the Width and Height Properties to fit a page, I have placed the code below that illustrates that we just did the steps above.

In the Page above it contains Button control and a literal control, when you click the button the contents of the HTML editor Appear in the Literal control.

The HTML editor content property is used to locate the html entered in the HTML editor. Be advised that this HTML content can contain JavaScript. In the next section we will talk on how to protect yourself from JavaScript Injections.

Let’s Customize the HTML Editor ToolBar

Did you want to control what buttons appear in the editor? Well you can; for example, you might want to remove the HTML TAB to prevent users from switching over to the HTML editor into HTML Mode, quite a mouthful huh? This is used to prevent user from using some super large Fonts in a Forum to post an overly ridiculous Message in a post.

You must add the class in Listing 2 to your App_Code folder so that the class will be compiled automatically. If the App_Code folder does not exist in your website then you can simply add the folder.

After you create a custom editor, you can add it to an ASP.NET page in the same way as you add the normal HTML Editor (see Listing 3).

Avoiding Cross-Site Scripting (XSS) Attacks

Whenever you accept input from a user, and redisplay that input on your website, you potentially open your website to Cross-Site Scripting (XSS) Attacks. In theory, a malicious hacker could submit JavaScript code that gets executed when the input is redisplayed. The JavaScript could be used to steal user passwords or other sensitive information.

Normally, you can defeat XSS attacks by HTML encoding whatever input you retrieve from a user before displaying it in a web page. However, HTML encoding the output of the HTML Editor would not only encode “script” tags, it would also encode all HTML tags. In other words, you would lose all of the formatting such as the font type, font size, and background color.

If you are collecting sensitive information from your users — such as passwords, credit-card numbers, and social security numbers – then you should not display un-encoded content that you retrieve from a user with the HTML Editor. You should use the HTML Editor only in situations in which you are not redisplaying the HTML content, or the HTML content is being submitted to your website by a trusted party.

Imagine, for example, that you are creating a blog application. In this situation, it makes sense to use the HTML Editor when composing blog posts. You are the only one who submits a blog post and, presumably, you can trust yourself not to submit malicious JavaScript. However, it does not make sense to use the HTML Editor when allowing anonymous users to post comments. You should be especially careful in situations in which users submit sensitive information such as passwords. Potentially, a malicious user could post a comment that contains the right JavaScript for stealing a password.


In this tutorial, you were provided with a brief overview of the HTML Editor control included in the AJAX Control Toolkit. You learned how to use the HTML Editor to accept rich content from a user and submit the content to the server. We also discussed how you can customize the toolbar buttons that are displayed by the HTML Editor. Finally, you learned how to avoid Cross-Site Scripting Attacks when using the HTML Editor to accept potentially malicious input.